The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The...
Transcript of The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The...
![Page 1: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/1.jpg)
The (Decentralized)
USENIX Security 2011
Peter Eckersley Jesse Burns EFF iSEC
![Page 2: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/2.jpg)
SSL/TLS : Earth's most popular cryptographic system
![Page 3: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/3.jpg)
How strong is this infrastructure?
![Page 4: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/4.jpg)
at best, as good as itsability to authenticate the other party
![Page 5: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/5.jpg)
How does that happen?
With X.509 certificates signed by Certificate Authorities (CAs)
![Page 6: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/6.jpg)
SSL, TLS, HTTPS, X.509, PKIX
SSL ~= TLSHTTPS = HTTP + TLSTLS uses certificates
X.509 = certificates!PKIX = public X.509
![Page 7: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/7.jpg)
Investigates:
how imperfect are CAs?what are they signing?
how large is the PKIX attack surface?
The SSL Observatory
![Page 8: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/8.jpg)
Methodology:
Collect all the X.509 certificatesSee what's in them
The SSL Observatory
![Page 9: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/9.jpg)
2010:
Scanned all allocated IPv4 space(port 443)
Built a system for analysing the data
The SSL Observatory
![Page 10: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/10.jpg)
2011:
Decentralized Observatory client
Opt-in feature for HTTPS Everywhere
Uses Tor for anonymization
Launching this afternoon!
The SSL Observatory
![Page 11: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/11.jpg)
Scanning IPv4
3 billion IANA-allocated addresses
Partition into work units
Use nmap to SYN scan port 443
Followup to collect certificates
![Page 12: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/12.jpg)
Decentralized Observatory
Interesting phenomena may be localizedWant to see certs from many viewpoints
![Page 13: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/13.jpg)
Observatory Browser Extension
Collects: certificiate chain*, destination domain, approx. timestamp, optional ASN +
server IP
Whitelists for scalabilityDoes not log client IP
Returns: known reasons for mistrustEarly alpha implementation
![Page 14: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/14.jpg)
The CA says:
”This certificate and its key belong to www.eff.org.”
And enforce honestly and reasonableness*
Those certificates
![Page 15: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/15.jpg)
They have a hard job, with odd incentives
2009: 3 vulnerabilities due to CA mistakes
2010: evidence of governments compelling CAs
There seemed to be a lot of them
We were afraid of CAs because:
![Page 16: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/16.jpg)
Also afraid of X.509
Designed in 1980sBy the ITU (!), before HTTP (!!!)
+ extremely flexible & general
- extremely flexible & general - extremely ugly
- history of implementation vulnerabilities
![Page 17: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/17.jpg)
X.509: Security via digital paperwork
X.509 certs can (and do) contain just about anything
![Page 18: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/18.jpg)
How many kinds of anything?
![Page 19: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/19.jpg)
#!/usr/bin/env python
# diversity.py -- estimate the number of different certificate types and # combinations of fields in them
from dbconnect import dbconnectdb,dbc = dbconnect()q = """SELECT *,`X509v3 extensions:X509v3 Key Usage`, `X509v3 extensions:X509v3 Extended Key Usage`, `X509v3 extensions:X509v3 Basic Constraints:CA`, `X509v3 extensions:Netscape Cert Type`FROM all_certs WHERE certid >= %d and certid < %d"""
dbc.execute("SELECT count(certid) from all_certs")n = int(dbc.fetchone()[0])print n, "rows"
fset = {}for i in range(n / 1024): q1 = q % (i* 1024, (i+1) * 1024) dbc.execute(q1) batch= dbc.fetchall() for row in batch: cert, type_fields = row[:-4], row[-4:] bits = 0 for field in cert: if field==None: bits |= 0x01 elif type(field) == str and ("critical" in field): bits |=0x02 bits <<= 2 key = (type_fields, bits) fset[bits]=True
print len(fset)
![Page 20: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/20.jpg)
By this approximate measure:
10,320 kinds of X.509 certs were observed
1,352 kinds were sometimes valid
Not as bad as a million kinds, still hard to process automatically
![Page 21: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/21.jpg)
16.2M IPs were listening on port 44311.3M started an SSL handshake
4.3+M used valid cert chainswith only
1.5+M distinct valid leaves
Size of the SSLiverse
![Page 22: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/22.jpg)
Lots of CAs!
1,482 CAs trustable by Microsoft or Mozilla1,167 disinct Issuer strings
651 organisations
Mac OS X would add a few more
![Page 23: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/23.jpg)
![Page 24: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/24.jpg)
Credit: Raffael Marty
![Page 25: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/25.jpg)
Noteworthy subordinate CAs
U.S. Department of Homeland Security
U.S. Defence Contractors
Oil Companies
CNNIC
Etisalat
Gemini Observatory
![Page 26: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/26.jpg)
A note about CNNIC
Controversy: Mozilla added CNNIC to the trust root in 2009
But: Entrust signed a CNNIC subordinate CA in 2007
SHECA/Unitrust, another Chinese sub-CA appears to date
from 2004 in the Microsoft roots
![Page 27: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/27.jpg)
Exposure to many jurisdictions
CAs are located in these ~52 countries:
['AE', 'AT', 'AU', 'BE', 'BG', 'BM', 'BR', 'CA', 'CH', 'CL', 'CN', 'CO', 'CZ', 'DE', 'DK', 'EE', 'ES', 'EU', 'FI', 'FR', 'GB', 'HK', 'HU', 'IE', 'IL', 'IN', 'IS', 'IT', 'JP', 'KR', 'LT', 'LV', 'MK', 'MO', 'MX', 'MY', 'NL', 'NO', 'PL', 'PT', 'RO', 'RU', 'SE', 'SG', 'SI',
'SK', 'TN', 'TR', 'TW', 'UK', 'US', 'UY', 'WW', 'ZA']
![Page 28: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/28.jpg)
Vulnerabilities (2010)
~30,000 servers use broken keys
~500 had valid CA signatures, including:
diplomatie.beyandex.ru
lawwebmail.uchicago.edu
(now fixed/expired)
![Page 29: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/29.jpg)
Vulnerabilities
Certificates that appear ''Valid” but don't identify anyone in particular.
Names like Localhost, Exchange, Mail, and IP addresses
Even private RFC 1918 IP addressesUndermines the idea of CAs
![Page 30: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/30.jpg)
Other whackiness
Certificates that were and were not CA certs
Violations of Extended Validation rules
Certificates with huge lists of names
New CA certificates with keys from expired certificates
![Page 31: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/31.jpg)
Also, we've published the data, so you can do further research on it
![Page 32: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/32.jpg)
The schema for the 2010 datasets was quite baroque
(we may or may not keep using it)
![Page 33: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/33.jpg)
Some simple examples:
![Page 34: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/34.jpg)
SELECT RSA_Modulus_Bits, count(*) FROM valid_certs GROUP BY RSA_Modulus_BitsORDER BY cast(RSA_Modulus_Bits as decimal);
+------------------+----------+| RSA_Modulus_Bits | count(*) |+------------------+----------+| 511 | 3 || 512 | 3977 || 730 | 1 || 767 | 1 || 768 | 34 || 1023 | 968 || 1024 | 821900 || ... | ... |+------------------+----------+
![Page 35: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/35.jpg)
SELECT `Signature Algorithm`, count(*)FROM valid_certs WHERE startdate > ”2010”GROUP BY `Signature Algorithm`;
+--------------------------+----------+| Signature Algorithm | count(*) |+--------------------------+----------+| md5WithRSAEncryption | 3 || sha1WithRSAEncryption | 455511 || sha256WithRSAEncryption | 17 || sha512WithRSAEncryption | 1 |+--------------------------+----------+
![Page 36: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/36.jpg)
SELECT distinct issuerFROM valid_certs WHERE stardate > ”2010” AND `Signature Algorithm`= " md5WithRSAEncryption";
+------------------------------------------------------------------------+| issuer |+------------------------------------------------------------------------+| O=Ministere de la Justice, CN=Autorite de Certification Serveurs || C=US, O=Anthem Inc, OU=Ecommerce, CN=Anthem Inc Certificate Authority |+------------------------------------------------------------------------+
(fortunately, these CAs don't robo sign)
![Page 37: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/37.jpg)
Validity
”Easy”, just invoke openssl with the Microsoft + Mozilla trust roots
![Page 38: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/38.jpg)
Firefox and IE cache intermediate CA certificates...
So OpenSSL can't necessarily say whether a cert is valid in these browsers (!!!)
Actually, not that easy...
![Page 39: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/39.jpg)
”Transvalidity”
valid, but only if the browser cached the right intermediate CA certs first
→
we catch most transvalid certs
![Page 40: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/40.jpg)
transvalidity.py
First, find invalid certs where a plausible, valid intermediate cert was seen somewhere in the SSLiverse:
SELECT certs1.path, certs1.id, valid_certs.path, certs1.fingerprint, certs1.fetchtime
FROM certs1 join valid_certsON certs1.issuer = valid_certs.subject and (
(certs1.`Authority Key Identifier:keyid` is null and valid_certs.`Subject Key Identifier` is null)
orcerts1.`Authority Key Identifier:keyid` =valid_certs.`Subject Key Identifier`
)WHERE not certs1.valid and
(locate("unable to get local issuer certificate", certs1.moz_valid) or locate("unable to get local issuer certificate", certs1.ms_valid) )
GROUP BY certs1.fingerprint, valid_certs.path
Note: some variable names were simplified in this query:certs1 is an example raw input certs table, Authority Key IDs have longer column names
![Page 41: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/41.jpg)
transvalidity.py (ct'd)
Once we have some missing, valid, possibly determinative CA certs, we re-run OpenSSL:
openssl verify -CApath <all roots> -untrusted <rest of chain + query results> cert
Results go in the ”transvalid” column
select count(*) from valid_certs where transvalid="Yes"
→ 97,676 tranvalid certs
![Page 42: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/42.jpg)
More examples of the dataset at work...
![Page 43: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/43.jpg)
Which root CAs created the most subordinate CAs? SubordinateTracking.py
For each root cert:
SELECT certid, subject, issuer, `Subject Key Idenfier`FROM valid_certs where issuer = <root CA's subject>
and locate(”true”, `X509v3 Basic Constraints:CA`)and `X509v3 Authority Key Identifier:keyid` = <root CA's SKID>
(which may be NULL)
(and recurse)
![Page 44: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/44.jpg)
Results: top roots by CA proliferation
1. C=DE, CN=Deutsche Telekom Root CA 2252 sub-CAs ( 4,164 leaves)
2. C=US, CN=GTE CyberTrust Global Root93 sub-CAs ( 20,937 leaves)
3. C=SE, CN=AddTrust External CA Root72 sub-CAs ( 384,481 leaves)
4. C=BE, CN=GlobalSign Root CA63 sub-CAs ( 140,176 leaves)
5. C=US, CN=Entrust.net Secure Server Certification Authority33 sub-CAs ( 91,203 leaves)
6. C=FR, O=PM/SGDN, OU=DCSSI, CN=IGC/A...24 sub-CAs ( 448 leaves)
7. OU=ValiCert Class 3 Policy Validation Authority20 sub-CAs ( 1,273 leaves)
8. O=VeriSign, Inc, OU=Class 3 Public Primary Certification Authority18 sub-CAs ( 312,627 leaves)
![Page 45: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/45.jpg)
Another 2010 finding: 512 bit EV cert
![Page 46: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/46.jpg)
EV & The CA/Browser Forum
![Page 47: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/47.jpg)
“The CA/Browser Forum has also taken action, requiring that the CAs responsible for the non-compliant EV Certificates examine their other EV certificates for similar problems. The CA/Browser Forum expects all EV certificate issuers to adopt procedures that prevent these types of mistakes.
The issuing CAs reported that the non-compliant certificates have now been revoked and are no longer functional on the web”
![Page 48: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/48.jpg)
There are still some 1024 bit EV certs out there!
Observed: 8/11/2011
![Page 49: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/49.jpg)
Revocation!
Revocation is important and problematic
![Page 50: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/50.jpg)
... also quite informative
![Page 51: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/51.jpg)
Using the Observatory to study revocations in the real world
SELECT DISTINCT `X509v3 extensions:X509v3 CRL Distribution Points`FROM valid_certs;
-> extract URLs-> fetch CRLs-> make a revoked table
(questions/all_crls in the source)
![Page 52: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/52.jpg)
Revocations!
We currently see ~1.96 million revocations (the number fluctuates)
The BuyPass CA issued 4 revocations in the future (Nov 2011)
The Certum CA issued 5 revocations at the epoch (1970)
![Page 53: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/53.jpg)
Two scans of revocations as a function of time
![Page 54: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/54.jpg)
Listed reasons for revocation in CRLs
SELECT reason, count(*) FROM revoked GROUP BY reason;+------------------------+----------+| reason | count(*) |+------------------------+----------+| NULL | 876049 || 9 | 4589 | -- Privilege Withdrawn| Affiliation Changed | 27089 || CA Compromise | 55 || Certificate Hold | 52786 || Cessation Of Operation | 700770 || Key Compromise | 59527 || Superseded | 66415 || Unspecified | 174444 |+------------------------+----------+
-- Thanks for the honesty of those CAs who admitted CA compromise rather -- than burying it!
![Page 55: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/55.jpg)
Listed revocation reasons over time
![Page 56: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/56.jpg)
Revocations are somewhat reassuring...
what about revocability ?
![Page 57: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/57.jpg)
Revocation Support
Of 1.3+ Million unique valid leaves
683 lack revocation info
all but 1,977 have CRL Distribution Points
and 153,966 have no OCSP information
![Page 58: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/58.jpg)
Revocation Support
Some CAs offer unrevokable certificates
e.g. at https://www.akd.nl/ Truncated issuer name # non-rev leaves+-------------------------------------------------------------+-------+| C=IT, O=I.T. Telecom, OU=Servizi di certificazione, CN=I.T. | 275 || C=US, O=Anthem Inc, OU=Ecommerce, CN=Anthem Inc Certificate | 152 || C=NL, O=DigiNotar, CN=DigiNotar Services 1024 CA/emailAddre | 135 || O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign In | 88 || C=US, OU=American Express Technologies, ST=NY, CN=American | 6 || C=NL, O=DigiNotar, CN=DigiNotar Cyber CA/emailAddress=info@ | 5 || C=IT, O=Centro Nazionale per l'Informatica nella PA, OU=Ser | 5 || C=JP, O=Japan Certification Services, Inc., CN=SecureSign P | 5 || O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of us | 3 || C=MY, O=Digicert Sdn. Bhd., OU=457608-K, CN=Digisign Server | 2 || C=MY, O=Digicert Sdn. Bhd., OU=457608-K, CN=Digisign Server | 2 || CN=ACEDICOM Servidores, OU=PKI, O=EDICOM, C=ES | 2 || C=FR, O=service-public gouv agriculture, OU=0002 110070018, | 1 || C=NL, O=DigiNotar, CN=DigiNotar Services CA/emailAddress=in | 1 || C=US, O=Apple Inc., OU=Apple IST Certification Authority, C | 1 |+--------------------------------------------------------------+------+
![Page 59: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/59.jpg)
Disused unrevocable CAs
Cybertrust sub CA valid from 2001-09-06.
CPS: http://www.us-hosting.baltimore.com/CPS/OmniRoot.html
(but that is gone!)
No CRL, OCSP, or even country!
The Subject of this cert is:
C=ww, O=global, OU=pki, CN=rootca
![Page 60: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/60.jpg)
Disused unrevocable CAs
That CA signed an sub-CA too – valid from 2002-03-12
Subject is:
C=ww, O=global, OU=pki, CN=issuingca
Again dead CPS: http://www.cwsecurity.net/
4 expired certs observed below this CA
![Page 61: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/61.jpg)
So, how do we fix this mess?
![Page 62: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/62.jpg)
Some proposed mitigations
Consensus measurement (Perspectives & Convergence.io)
More vigilant auditing (Decentralized Observatory)
DNSSEC + DANE
Certificate Pinning via HTTPS headers
![Page 63: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/63.jpg)
PKIX attack surface
Compromise | Malice | Compulsion
at
~600 CAs | target site | DNS
or anywhere on the network in between :(
![Page 64: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/64.jpg)
PKIX -> DNSSEC?
Compromise | Malice | Compulsion
at
~600 CAs | target site | DNS
or anywhere on the network in between :(
![Page 65: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/65.jpg)
PKIX -> DNSSEC?
Compromise | Malice | Compulsion
at
~600 CAs | target site | DNS
or anywhere on the network in between :(
![Page 66: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/66.jpg)
PKIX -> DNSSEC?
Compromise | Malice | Compulsion
at
~600 CAs | target site | DNS
or anywhere on the network in between :( ?
![Page 67: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/67.jpg)
The biggest win from DNSSEC could be simplified TLS deployment
What to do about bit.ly or google.ae?
We would probably need a DNSSEC Observatory!
![Page 68: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/68.jpg)
Persectives, Convergence.io and other ”consensus” approaches
A nice idea but...
![Page 69: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/69.jpg)
The problem with consensus
is false positive warnings
![Page 70: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/70.jpg)
Idea: whoever used to be domain.com should stay domain.com
Much simpler than DNSSEC,bigger security win,
if it is implemented correctly
Identity pinning
![Page 71: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/71.jpg)
The right way to pin
Create a ”private CA” just for this domain
Use that in parallel to PKIX
![Page 72: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/72.jpg)
Unfortunately
Ironically, cross-signing of leaves not supported by X.509!
(X.509 assumes one Issuer per leaf cert)
will require something new...
![Page 73: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/73.jpg)
Cross-signing for pinning
Possible solutions:
A second leaf cert signed by the pinned ”private CA” key
A magic X.509 extension with a cross signature (possibly in a randomly appended cert in the chain)
![Page 74: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/74.jpg)
PKIX -> Pinning?
Compromise | Malice | Compulsion
at
~600 CAs | target site | DNS
or anywhere on the network in between :(
![Page 75: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/75.jpg)
PKIX -> Pinning?
Compromise | Malice | Compulsion
at
~600 CAs | target site | DNS
or anywhere on the network in between :(
Only on first connection
![Page 76: The (Decentralized) - USENIXstatic.usenix.org/events/sec11/tech/slides/eckersley.pdf · The (Decentralized) USENIX Security 2011 Peter Eckersley Jesse Burns EFF iSEC](https://reader031.fdocuments.us/reader031/viewer/2022030919/5b77c6a77f8b9ad3338dd688/html5/thumbnails/76.jpg)
FIN